22736 – php new security issue CVE-2018-7584

Bug 22736 - php new security issue CVE-2018-7584

Summary: php new security issue CVE-2018-7584

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	6
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA5TOO MGA5-64-OK MGA6-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2018-03-11 14:46 CET by David Walser
Modified:	2018-03-14 17:22 CET (History)
CC List:	3 users (show)

See Also:
Source RPM:	php-5.6.33-1.mga6.src.rpm
CVE:
Status comment:	Fixed upstream in 5.6.34

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2018-03-11 14:46:22 CET

Upstream has released PHP 5.6.34 on March 1, fixing one security issue:
http://www.php.net/ChangeLog-5.php#5.6.34

Mageia 5 is also affected.

David Walser 2018-03-11 14:46:37 CET

Status comment: (none) => Fixed upstream in 5.6.34
Whiteboard: (none) => MGA5TOO

Comment 1 Marc Krämer 2018-03-11 23:37:53 CET

@David: please report php issues to the php-mailing list. I'm wondering why I missed this php update, but thanks.

CC: (none) => mageia

Marc Krämer 2018-03-11 23:37:59 CET

Assignee: bugsquad => mageia

Comment 2 David Walser 2018-03-11 23:39:20 CET

Marc, I report all security issues to Bugzilla.  Maintainers need to watch it or the bugsquad needs to assign the bugs to the right place.

Comment 3 Marc Krämer 2018-03-11 23:55:20 CET

Updated php-packages for mga5/6:

Suggested advisory:
========================

Updated php packages fix security vulnerability:
Update to php 5.6.34 fixes a stack-buffer-overflow while parsing HTTP response). (CVE-2018-7584)

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7584
http://www.php.net/ChangeLog-5.php#5.6.34
========================

Updated packages in core/updates_testing:
========================
php-ini-5.6.34-1.mga6
apache-mod_php-5.6.34-1.mga6
php-cli-5.6.34-1.mga6
php-cgi-5.6.34-1.mga6
libphp5_common5-5.6.34-1.mga6
php-devel-5.6.34-1.mga6
php-openssl-5.6.34-1.mga6
php-zlib-5.6.34-1.mga6
php-doc-5.6.34-1.mga6
php-bcmath-5.6.34-1.mga6
php-bz2-5.6.34-1.mga6
php-calendar-5.6.34-1.mga6
php-ctype-5.6.34-1.mga6
php-curl-5.6.34-1.mga6
php-dba-5.6.34-1.mga6
php-dom-5.6.34-1.mga6
php-enchant-5.6.34-1.mga6
php-exif-5.6.34-1.mga6
php-fileinfo-5.6.34-1.mga6
php-filter-5.6.34-1.mga6
php-ftp-5.6.34-1.mga6
php-gd-5.6.34-1.mga6
php-gettext-5.6.34-1.mga6
php-gmp-5.6.34-1.mga6
php-hash-5.6.34-1.mga6
php-iconv-5.6.34-1.mga6
php-imap-5.6.34-1.mga6
php-interbase-5.6.34-1.mga6
php-intl-5.6.34-1.mga6
php-json-5.6.34-1.mga6
php-ldap-5.6.34-1.mga6
php-mbstring-5.6.34-1.mga6
php-mcrypt-5.6.34-1.mga6
php-mssql-5.6.34-1.mga6
php-mysql-5.6.34-1.mga6
php-mysqli-5.6.34-1.mga6
php-mysqlnd-5.6.34-1.mga6
php-odbc-5.6.34-1.mga6
php-opcache-5.6.34-1.mga6
php-pcntl-5.6.34-1.mga6
php-pdo-5.6.34-1.mga6
php-pdo_dblib-5.6.34-1.mga6
php-pdo_firebird-5.6.34-1.mga6
php-pdo_mysql-5.6.34-1.mga6
php-pdo_odbc-5.6.34-1.mga6
php-pdo_pgsql-5.6.34-1.mga6
php-pdo_sqlite-5.6.34-1.mga6
php-pgsql-5.6.34-1.mga6
php-phar-5.6.34-1.mga6
php-posix-5.6.34-1.mga6
php-readline-5.6.34-1.mga6
php-recode-5.6.34-1.mga6
php-session-5.6.34-1.mga6
php-shmop-5.6.34-1.mga6
php-snmp-5.6.34-1.mga6
php-soap-5.6.34-1.mga6
php-sockets-5.6.34-1.mga6
php-sqlite3-5.6.34-1.mga6
php-sybase_ct-5.6.34-1.mga6
php-sysvmsg-5.6.34-1.mga6
php-sysvsem-5.6.34-1.mga6
php-sysvshm-5.6.34-1.mga6
php-tidy-5.6.34-1.mga6
php-tokenizer-5.6.34-1.mga6
php-xml-5.6.34-1.mga6
php-xmlreader-5.6.34-1.mga6
php-xmlrpc-5.6.34-1.mga6
php-xmlwriter-5.6.34-1.mga6
php-xsl-5.6.34-1.mga6
php-wddx-5.6.34-1.mga6
php-zip-5.6.34-1.mga6
php-fpm-5.6.34-1.mga6
phpdbg-5.6.34-1.mga6
php-debuginfo-5.6.34-1.mga6

Source RPMs: 
php-5.6.34-1.mga5.src.rpm
php-5.6.34-1.mga6.src.rpm

Marc Krämer 2018-03-11 23:55:30 CET

Assignee: mageia => qa-bugs

Comment 4 PC LX 2018-03-12 12:09:02 CET

Installed and tested without issues.

Tests included using a variety of large and small script (e.g. wordpress, drupal, custom scripts) that make extensive use of PHP and PHP extensions. Several of the custom scripts have test units that completed successfully.

System: Mageia 6, x86_64, Intel CPU.

$ uname -a
Linux marte 4.14.25-desktop-1.mga6 #1 SMP Fri Mar 9 19:48:35 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep php | sort
apache-mod_php-5.6.34-1.mga6
lib64php5_common5-5.6.34-1.mga6
php-cli-5.6.34-1.mga6
php-ctype-5.6.34-1.mga6
php-curl-5.6.34-1.mga6
php-dom-5.6.34-1.mga6
php-filter-5.6.34-1.mga6
php-ftp-5.6.34-1.mga6
php-gd-5.6.34-1.mga6
php-gettext-5.6.34-1.mga6
php-hash-5.6.34-1.mga6
php-ini-5.6.34-1.mga6
php-intl-5.6.34-1.mga6
php-json-5.6.34-1.mga6
php-mbstring-5.6.34-1.mga6
php-memcached-2.2.0-2.mga6
php-mysqli-5.6.34-1.mga6
php-mysqlnd-5.6.34-1.mga6
php-openssl-5.6.34-1.mga6
php-pdo-5.6.34-1.mga6
php-pdo_mysql-5.6.34-1.mga6
php-pdo_pgsql-5.6.34-1.mga6
php-pdo_sqlite-5.6.34-1.mga6
php-phpmailer-5.2.24-1.1.mga6
php-posix-5.6.34-1.mga6
php-session-5.6.34-1.mga6
php-suhosin-0.9.38-1.mga6
php-sysvsem-5.6.34-1.mga6
php-sysvshm-5.6.34-1.mga6
php-timezonedb-2017.2-1.mga6
php-tokenizer-5.6.34-1.mga6
php-xdebug-2.4.0-1.mga6
php-xml-5.6.34-1.mga6
php-xmlreader-5.6.34-1.mga6
php-xmlwriter-5.6.34-1.mga6
php-zlib-5.6.34-1.mga6

Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK
CC: (none) => mageia

Comment 5 David Walser 2018-03-12 12:45:09 CET

Thanks Marc.  Tested fine on Mageia 5 x86_64 with my normal battery of tests.

Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK

Comment 6 claire robinson 2018-03-14 15:01:32 CET

Advisory uploaded. Validating.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2018-03-14 17:22:15 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0167.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.